Satisfiability Calculus: The Semantic Counterpart of a Proof Calculus in General Logics

HAL Id: hal-01485970

https://hal.inria.fr/hal-01485970

Submitted on 9 Mar 2017

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Distributed under a Creative Commons

Satisfiability Calculus: The Semantic Counterpart of a Proof Calculus in General Logics

Carlos López Pombo, Pablo Castro, Nazareno Aguirre, Thomas Maibaum

To cite this version:

Carlos López Pombo, Pablo Castro, Nazareno Aguirre, Thomas Maibaum. Satisfiability Calculus:

The Semantic Counterpart of a Proof Calculus in General Logics. 21th InternationalWorkshop on

Algebraic Development Techniques (WADT), Jun 2012, Salamanca, Spain. pp.195-211, �10.1007/978-

3-642-37635-1_12�. �hal-01485970�

Satisfiability Calculus: The Semantic Counterpart of a Proof Calculus in General

Logics

Carlos G. L´opez Pombo^1,3, Pablo F. Castro^2,3, Nazareno M. Aguirre^2,3, and Thomas S.E. Maibaum⁴

1 Departmento de Computaci´on, FCEyN, Universidad de Buenos Aires, Argentina.

clpombo@dc.uba.ar

2 Departmento de Computaci´on, FCEFQyN, Universidad Nacional de R´ıo Cuarto, Argentina.{pcastro,naguirre}@dc.exa.unrc.edu.ar

3 Consejo Nacional de Investigaciones Cient´ıficas y T´ecnicas (CONICET), Argentina

4 Department of Computing & Software, McMaster University, Canada.

tom@maibaum.org

Abstract. Since its introduction by Goguen and Burstall in 1984, the theory of institutions has been one of the most widely accepted formal- izations of abstract model theory. This work was extended by a number of researchers, Jos´e Meseguer among them, who presentedGeneral Log- ics, an abstract framework that complements the model theoretical view of institutions by defining the categorical structures that provide a proof theory for any given logic. In this paper we intend to complete this pic- ture by providing the notion ofSatisfiability Calculus, which might be thought of as the semantical counterpart of the notion of proof calculus, that provides the formal foundations for those proof systems that use model construction techniques to prove or disprove a given formula, thus

“implementing” the satisfiability relation of an institution.

1 Introduction

The theory of institutions, presented by Goguen and Burstall in [1], provides a formal and generic definition of what a logical system is, from a model the- oretical point of view. This work evolved in many directions: in [2], Meseguer complemented the theory of institutions by providing a categorical characteri- zation for the notions of entailment system (also called π-institutions by other authors in [3]) and the corresponding notion of proof calculi; in [4, 5] Goguen and Burstall, and Tarlecki, respectively, extensively investigated the ways in which institutions can be related; in [6], Sannella and Tarlecki studied how specifica- tions in an arbitrary logical system can be structured; in [7], Tarlecki presented an abstract theory of software specification and development; in [8, 9] and [10, 11], Mossakowski and Tarlecki, and Diaconescu, respectively, proposed the use of institutions as a foundation for heterogeneous environments for software spec- ification. Institutions have also been used as a very general version of abstract

model theory [12], offering a suitable formal framework for addressing hetero- geneity in specifications [13, 14], including applications to UML [15] and other languages related to computer science and software engineering.

Extensions of institutions to capture proof theoretical concepts have been extensively studied, most notably by Meseguer [2]. Essentially, Meseguer pro- poses the extension of entailment systems with a categorical concept expressive enough to capture the notion ofproof in an abstract way. In Meseguer’s words:

A reasonable objection to the above definition of logic⁵is that it abstracts away the structure of proofs, since we know only that a setΓ of sentences entails another sentenceϕ, but no information is given about the internal structure of such a Γ ` ϕ entailment. This observation, while entirely correct, may be a virtue rather than a defect, because the entailment relation is precisely what remains invariant under many equivalent proof calculi that can be used for a logic.

Before Meseguer’s work, there was an imbalance in the definition of a logic in the context of institution theory, since the deductive aspects of a logic were not taken into account. Meseguer concentrates on the proof theoretical aspects of a logic, providing not only the definition of entailment system, but also com- plementing it with the notion of proof calculus, obtaining what he calls alogical system. As introduced by Meseguer, the notion of proof calculus provides, intu- itively, an implementation of the entailment relation of a logic. Indeed, Meseguer corrected the inherent imbalance in favour of models in institutions, enhancing syntactic aspects in the definition of logical systems.

However, the same lack of an operational view observed in the definition of entailment systems still appears with respect to the notion of satisfiability, i.e., the satisfaction relation of an institution. In the same way that an entailment system may be “implemented” in terms of different proof calculi, a satisfaction relation may be “implemented” in terms of different satisfiability procedures.

Making these satisfiability procedures explicit in the characterization of logical systems is highly relevant, since many successful software analysis tools are based on particular characteristics of these satisfiability procedures. For instance, many automated analysis tools rely on model construction, either for proving proper- ties, as with model-checkers, or for finding counterexamples, as with tableaux techniques or SAT-solving based tools. These techniques constitute an impor- tant stream of research in logic, in particular in relation to (semi-)automated software validation and verification.

These kinds of logical systems can be traced back to the works of Beth [16, 17], Herbrand [18] and Gentzen [19]. Beth’s ideas were used by Smullyan to for- mulate the tableaux method for first-order predicate logic [20]. Herbrand’s and Gentzen’s works inspired the formulation of resolution systems presented by Robinson [21]. Methods like those based on resolution and tableaux are strongly

5 Authors’ note: Meseguer refers to a logic as a structure that is composed of an entailment system together with an institution, see Def. 6.

related to the semantics of a logic; one can often use them to guide the construc- tion of models. This is not possible inpure deductive methods, such as natural deduction or Hilbert systems, as formalized by Meseguer. In this paper, our goal is to provide an abstract characterization of this class of semantics based tools for logical systems. This is accomplished by introducing a categorical characteri- zation of the notion of satisfiability calculus which embraces logical tools such as tableaux, resolution, Gentzen style sequents, etc. As we mentioned above, this can be thought of as a formalization of a semantic counterpart of Meseguer’s proof calculus. We also explore the concept of mappings between satisfiability calculi and the relation between proof calculi and satisfiability calculi.

The paper is organized as follows. In Section 2 we present the definitions and results we will use throughout this paper. In Section 3 we present a categorical formalization of satisfiability calculus, and prove relevant results underpinning the definitions. We also present examples to illustrate the main ideas. Finally in Section 4 we draw some conclusions and describe further lines of research.

2 Preliminaries

From now on, we assume the reader has a nodding acquaintance with basic concepts from category theory [22, 23]. Below we present the basic definitions and results we use throughout the rest of the paper. In the following, we follow the notation introduced in [2].

An Institution is an abstract formalization of the model theory of a logic by making use of the relationships existing between signatures, sentences and models. These aspects are reflected by introducing the category of signatures, and by defining functors going from this category to the categoriesSetandCat, to capture sets of sentences and categories of models, respectively, for a given signature. The original definition of institutions is the following:

Definition 1. ([1])An institutionis a structure of the formhSign,Sen,Mod,{|=^Σ }_Σ∈|Sign|i satisfying the following conditions:

– Signis a category of signatures,

– Sen:Sign→Set is a functor. Let Σ∈ |Sign|, then Sen(Σ) returns the set ofΣ-sentences,

– Mod:Sign^op→Cat is a functor. LetΣ∈ |Sign|, thenMod(Σ)returns the category ofΣ-models,

– {|=^Σ}_Σ∈|Sign|, where |=^Σ⊆ |Mod(Σ)| ×Sen(Σ), is a family of binary rela- tions,

and for any signature morphism σ : Σ → Σ⁰, Σ-sentence φ ∈ Sen(Σ) and Σ⁰-modelM⁰∈ |Mod(Σ)|, the following|=-invariance condition holds:

M⁰|=^Σ0 Sen(σ)(φ) iff Mod(σ^op)(M⁰)|=^Σ φ .

Roughly speaking, the last condition above says that the notion of truth is in- variant with respect to notation change. Given Σ ∈ |Sign| and Γ ⊆ Sen(Σ),

Mod(Σ, Γ) denotes the full subcategory ofMod(Σ) determined by those mod- elsM ∈ |Mod(Σ)|such thatM |=^Σγ, for allγ∈Γ. The relation|=^Σ between sets of formulae and formulae is defined in the following way: given Σ∈ |Sign|, Γ ⊆ Sen(Σ) and α ∈ Sen(Σ), Γ |=^Σ α if and only if M |=^Σ α, for all M ∈ |Mod(Σ, Γ)|.

An entailment system is defined in a similar way, by identifying a family of syntacticconsequence relations, instead of a family of semantic consequence relations. Each of the elements in this family is associated with a signature.

These relations are required to satisfy reflexivity, monotonicity and transitivity.

In addition, a notion of translation between signatures is considered.

Definition 2. ([2])An entailment systemis a structure of the formhSign,Sen,{`^Σ }_Σ∈|Sign|i satisfying the following conditions:

– Signis a category of signatures,

– Sen:Sign→Set is a functor. Let Σ∈ |Sign|; then Sen(Σ) returns the set ofΣ-sentences, and

– {`<sup>Σ</sup>}<sub>Σ∈|Sign|</sub>, where `^Σ⊆2^Sen(Σ)×Sen(Σ), is a family of binary relations such that for anyΣ, Σ⁰∈ |Sign|,{φ} ∪ {φi}i∈I ⊆Sen(Σ),Γ, Γ⁰⊆Sen(Σ), the following conditions are satisfied:

1. reflexivity:{φ} `^Σ φ,

2. monotonicity: if Γ `<sup>Σ</sup> φandΓ ⊆Γ<sup>0</sup>, thenΓ<sup>0</sup> `^Σφ,

3. transitivity: if Γ `<sup>Σ</sup> φ<sub>i</sub> for all i ∈ I and {φi}i∈I `^Σ φ, then Γ `^Σ φ, and

4. `-translation: if Γ `^Σ φ, then for any morphism σ :Σ →Σ⁰ in Sign, Sen(σ)(Γ)`^Σ0 Sen(σ)(φ).

Definition 3. ([2]) Let hSign,Sen,{`^Σ}_Σ∈|Sign|i be an entailment system. Its categoryTh of theories is a pairhO,Aisuch that:

– O={ hΣ, Γi |Σ∈ |Sign| andΓ ⊆Sen(Σ)}, and – A=

(

σ:hΣ, Γi → hΣ⁰, Γ⁰i

hΣ, Γi,hΣ⁰, Γ⁰i ∈ O,

σ:Σ→Σ⁰is a morphism inSignand for allγ∈Γ, Γ⁰`^Σ0 Sen(σ)(γ)

) .

In addition, if a morphismσ:hΣ, Γi → hΣ⁰, Γ⁰isatisfiesSen(σ)(Γ)⊆Γ⁰, it is calledaxiom preserving. By retaining those morphisms ofThthat are axiom pre- serving, we obtain the subcategoryTh0. If we now consider the definition ofMod extended to signatures and sets of sentences, we get a functorMod:Th^op →Cat defined as follows: letT =hΣ, Γi ∈ |Th|, thenMod(T) =Mod(Σ, Γ).

Definition 4. ([2]) Let hSign,Sen,{`^Σ}_Σ∈|Sign|i be an entailment system and hΣ, Γi ∈ |Th₀|. We define^•: 2^Sen(Σ)→2^Sen(Σ)as follows:Γ^•=

γ

Γ `^Σ γ . This function is extended to elements ofTh₀, by defining it as follows:hΣ, Γi^•= hΣ, Γ^•i.Γ^• is called the theory generated by Γ.

Definition 5. ([2])LethSign,Sen,{`<sup>Σ</sup>}<sub>Σ∈|Sign|</sub>iandhSign<sup>0</sup>,Sen<sup>0</sup>,{`^0Σ}_Σ∈|Sign⁰_|i be entailment systems, Φ : Th0 → Th⁰0 be a functor and α : Sen →Sen⁰◦Φ a natural transformation. Φ is said to be α-sensible if and only if the following conditions are satisfied:

1. there is a functor Φ:Sign→Sign⁰ such that sign⁰◦Φ=Φ◦sign, where signand sign⁰ are the forgetful functors from the corresponding categories of theories to the corresponding categories of signatures, that when applied to a given theory project its signature, and

2. ifhΣ, Γi ∈ |Th0| andhΣ⁰, Γ⁰i ∈ |Th⁰0| such that Φ(hΣ, Γi) =hΣ⁰, Γ⁰i, then (Γ⁰)^•= (∅⁰∪αΣ(Γ))^•, where∅⁰=αΣ(∅)⁶.

Φis said to be α-simpleif and only ifΓ⁰=∅⁰∪α_Σ(Γ)is satisfied in Condition 2, instead of (Γ⁰)^•= (∅⁰∪αΣ(Γ))^•.

It is straightforward to see, based on the monotonicity of ^•, that α-simplicity impliesα-sensibility. Anα-sensible functor has the property that the associated natural transformation αdepends only on signatures. Now, from Definitions 1 and 2, it is possible to give a definition of logic by relating both its model- theoretic and proof-theoretic characterizations; a coherence between the seman- tic and syntactic relations is required, reflecting the soundness and completeness of standard deductive relations of logical systems.

Definition 6. ([2]) A logic is a structure of the form hSign,Sen,Mod,{`^Σ }_Σ∈|Sign|,{|=^Σ}_Σ∈|Sign|isatisfying the following conditions:

– hSign,Sen,{`^Σ}_Σ∈|Sign|iis an entailment system, – hSign,Sen,Mod,{|=^Σ}_Σ∈|Sign|iis an institution, and

– the following soundness condition is satisfied: for any Σ ∈ |Sign|, φ ∈ Sen(Σ),Γ ⊆Sen(Σ):Γ `^Σ φ implies Γ |=^Σ φ .

A logic is complete if, in addition, the following condition is also satisfied: for any Σ∈ |Sign|,φ∈Sen(Σ),Γ ⊆Sen(Σ):Γ |=^Σ φ implies Γ `^Σφ . Definition 2 associates deductive relations to signatures. As already discussed, it is important to analyze how these relations are obtained. The next definition introduces the notion of proof calculus. It formalizes the possibility of associ- ating a proof-theoretic structure to the deductive relations introduced by the definitions of entailment systems. In [2, Ex. 11, pp. 15], Meseguer presents nat- ural deduction as a proof calculus for first-order predicate logic by resorting to multicategories (see [2, Definition 10]).

Definition 7. ([2]) A proof calculusis a structure of the form hSign,Sen,{`^Σ }_Σ∈|Sign|,P,Pr, πisatisfying the following conditions:

– hSign,Sen,{`^Σ}_Σ∈|Sign|iis an entailment system,

– P:Th0→StructP C is a functor. Let T ∈ |Th0|, then P(T)∈ |StructP C| is the proof-theoretical structure ofT,

– Pr: StructP C →Set is a functor. Let T ∈ |Th0|, then Pr(P(T))is the set of proofs ofT; the composite functorPr◦P:Th0→Set will be denoted by proofs, and

6 ∅⁰ is not necessarily the empty set of axioms. This fact will be clarified later on.

– π : proofs → Sen is a natural transformation such that for each T = hΣ, Γi ∈ |Th₀| the image of π_T : proofs(T) →Sen(T) is the set Γ^•. The mapπT is called the projection from proofs to theoremsfor the theoryT. Finally, alogical system is defined as a logic plus a proof calculus for its proof theory.

Definition 8. ([2]) Alogical system is a structure of the form hSign,Sen,Mod,{`^Σ}_Σ∈|Sign|,{|=^Σ}_Σ∈|Sign|,P,Pr, πi satisfying the following conditions:

– hSign,Sen,Mod,{`<sup>Σ</sup>}<sub>Σ∈|Sign|</sub>,{|=<sup>Σ</sup>}<sub>Σ∈|Sign|</sub>iis a logic, and – hSign,Sen,{`^Σ}_Σ∈|Sign|,P,Pr, πiis a proof calculus.

3 Satisfiability Calculus

In Section 2, we presented the definitions of institutions and entailment systems.

Additionally, we presented Meseguer’s categorical formulation of proof that pro- vides operational structure for the abstract notion of entailment. In this section, we provide a categorical definition of a satisfiability calculus, providing a corre- sponding operational formulation of satisfiability. A satisfiability calculus is the formal characterization of a method for constructing models of a given theory, thus providing the semantic counterpart of a proof calculus. Roughly speaking, the semantic relation of satisfaction between a model and a formula can also beimplemented by means of some kind of structure that depends on the model theory of the logic. The definition of a satisfiability calculus is as follows:

Definition 9. [Satisfiability Calculus]Asatisfiability calculusis a structure of the formhSign,Sen,Mod,{|=^Σ}_Σ∈|Sign|,M,Mods, µisatisfying the following conditions:

– hSign,Sen,Mod,{|=^Σ}_Σ∈|Sign|iis an institution,

– M:Th0→StructSC is a functor. Let T ∈ |Th0|, thenM(T)∈ |StructSC|is the model structure ofT,

– Mods:StructSC →Cat is a functor. Let T ∈ |Th0|, then Mods(M(T))is the category of canonical models of T; the composite functor Mods◦M : Th0→Cat will be denoted by models, and

– µ:models^op → Mod is a natural transformation such that, for eachT = hΣ, Γi ∈ |Th0|, the image of µ_T :models^op(T)→Mod(T)is the category of modelsMod(T). The map µ_T is called the projection of the category of modelsof the theory T.

The intuition behind the previous definition is that, for any theoryT, the func- tor Massigns a model structure forT in the categoryStructSC7. For instance,

7 Notice that the target of functorM, when applied to a theory T, is not necessar- ily a model, but a structure which, under certain conditions, can be considered a representation of the category of models ofT.

in propositional tableaux, a good choice for Struct_SC is the collection of legal tableaux, where the functorM maps a theory to the collection of tableaux ob- tained for that theory. The functor Modsprojects those particular structures that represent sets of conditions that can produce canonical models of a theory T =hΣ, Γi(i.e., the structures that represent canonical models ofΓ). For exam- ple, in the case of propositional tableaux, this functor selects the open branches of tableaux, that represent satisfiable sets of formulae, and returns the collec- tions of formulae obtained by closuring these sets. Finally, for any theoryT, the functorµT relates each of these sets of conditions to the corresponding canonical model. Again, in propositional tableaux, this functor is obtained by relating a closured set of formulae with the models that can be defined from these sets of formulae in the usual ways [20].

Example 1. [Tableaux Method for First-Order Predicate Logic] Let us start by presenting the tableaux method for first-order logic. Let us denote by IF OL =hSign,Sen,Mod,{|=^Σ}_Σ∈|Sign|i the institution of first-order predicate logic. LetΣ∈ |Sign|andS⊆Sen(Σ); then a tableau forS is a tree such that:

1. the nodes are labeled with sets of formulae (over Σ) and the root node is labeled withS,

2. if uand v are two connected nodes in the tree (ubeing an ancestor of v), then the label of v is obtained from the label of u by applying one of the following rules:

X∪ {A∧B}

X∪ {A∧B, A, B} [∧]

X∪ {A∨B}

X∪ {A∨B, A} X∪ {A∨B, B} [∨]

X∪ {¬¬A}

[¬1] X∪ {¬¬A, A}

X∪ {A}

[¬2] X∪ {A,¬¬A}

X∪ {A,¬A}

[false]

Sen(Σ) X∪ {¬(A∧B)}

[DM1] X∪ {¬(A∧B),¬A∨ ¬B}

X∪ {¬(A∨B)}

[DM2] X∪ {¬(A∨B),¬A∧ ¬B}

X∪ {(∀x)P(x)}

X∪ {(∀x)P(x), P(t)} [∀]

X∪ {(∃x)P(x)}

X∪ {(∃x)P(x), P(c)} [∃]

where, in the last rules,cis a new constant and tis a ground term. A sequence of nodes s0

τ₀^α0

−−→s1 τ₁^α1

−−→s2 τ₂^α2

−−→. . . is abranch if:a)s0is the root node of the tree, and b) for all i ≤ ω, s_i → s_i+1 occurs in the tree, τ_i^αi is an instance of one of the rules presented above, andα_i are the formulae ofs_i to which the rule was applied. A branch s0

τ₀^α0

−−→s1 τ₁^α1

−−→s2 τ₂^α2

−−→. . . in a tableau is saturated if there existsi≤ω such thatsi=si+1. A branchs0

τ₀^α0

−−→s1 τ₁^α1

−−→s2 τ₂^α2

−−→. . .in a tableau isclosed if there existsi≤ω andα∈Sen(Σ) such that{α,¬α} ⊆si.

Lets₀ ^τ

α0

−−→0 s₁ ^τ

α1

−−→1 s₂ ^τ

α2

−−→2 . . .be a branch in a tableau. Examining the rules presented above, it is straightforward to see that everysi withi < ω is a set of formulae. In each step, we have either the application of a rule decomposing one formula of the set into its constituent parts with respect to its major connective,

while preserving satisfiability, or the application of the rule [f alse] denoting the fact that the corresponding set of formulae is unsatisfiable. Thus, the limit set of the branch is a set of formulae containing sub-formulae (and “instances” in the case of quantifiers) of the original set of formulae for which the tableau was built.

As a result of this, every open branch expresses, by means of a set of formulae, the class of models satisfying them.

In order to define the tableau method as a satisfiability calculus, we provide formal definitions forM,Modsandµ. The proofs of the lemmas and properties shown below are straightforward using the introduced definitions. The interested reader can find these proofs in [24]. First, we introduce the category Str^Σ,Γ of tableaux for sets of formulae over signature Σ and assuming the set of axioms Γ. In Str^Σ,Γ, objects are sets of formulae over signature Σ, and morphisms represent tableaux for the set occurring in their target and having subsets of the set of formulae occurring at the end of open branches, as their source.

Definition 10. Let Σ ∈ |Sign| and Γ ⊆ Sen(Σ), then we define Str^Σ,Γ = hO,Ai such that O = 2^Sen(Σ) and A = {α : {A_i}_i∈I → {B_j}_j∈J | α = {α_j}_j∈J}, where for all j ∈ J,α_j is a branch in a tableau for Γ ∪ {B_j} with leaves ∆⊆ {A_i}_i∈I. It should be noted that∆|=_Σ Γ∪ {B_j}.

Lemma 1. Let Σ ∈ |Sign| and Γ ⊆ Sen(Σ); then hStr^Σ,Γ,∪,∅i, where ∪ : Str^Σ,Γ×Str^Σ,Γ →Str^Σ,Γ is the typical bi-functor on sets and functions, and

∅ is the neutral element for ∪, is a strict monoidal category.

Using this definition we can introduce the category of legal tableaux, denoted byStruct_SC.

Definition 11. StructSC is defined ashO,AiwhereO={Str^Σ,Γ |Σ∈ |Sign| ∧ Γ ⊆ Sen(Σ)}, and A = {bσ : Str^Σ,Γ → Str^Σ0,Γ0 | σ : hΣ, Γi → hΣ⁰, Γ⁰i ∈

||Th0||}, the homomorphic extension of the morphisms in ||Th0||.

Lemma 2. StructSC is a category.

The functor M must be understood as the relation between a theory in |Th0| and its category of structures representing legal tableaux. So, for every the- ory T, M associates the strict monoidal category [22] hStr^Σ,Γ,∪,∅i, and for every theory morphism σ : hΣ, Γi → hΣ⁰, Γ⁰i, M associates a morphism bσ : Str^Σ,Γ →Str^Σ0,Γ0 which is the homomorphic extension ofσto the structure of the tableaux.

Definition 12. M:Th0 →StructSC is defined as M(hΣ, Γi) = hStr^Σ,Γ,∪,∅i andM(σ:hΣ, Γi → hΣ⁰, Γ⁰i) =bσ:hStr^Σ,Γ,∪,∅i → hStr^Σ0,Γ0,∪,∅i, the homo- morphic extension ofσ to the structures inhStr^Σ,Γ,∪,∅i.

Lemma 3. M is a functor.

In order to define M ods, we need the following auxiliary definition, which re- sembles the usual construction of maximal consistent sets of formulae.

Definition 13. LetΣ∈ |Sign|,∆⊆Sen(Σ), and consider{F_i}_i<ωan enumer- ation ofSen(Σ)such that for every formulaα, its sub-formulae are enumerated beforeα. ThenCn(∆)is defined as follows:

– Cn(∆) =S

i<ωCnⁱ(∆) – Cn⁰(∆) =∆,Cnⁱ⁺¹(∆) =

Cnⁱ(∆)∪ {Fi} , ifCnⁱ(∆)∪ {Fi} is consistent.

Cnⁱ(∆)∪ {¬F_i}, otherwise.

Given hΣ, Γi ∈ |Th0|, the functor Mods provide the means for obtaining the category containing the closure of those structures inStr^Σ,Γ that represent the closure of the branches in saturated tableaux.

Definition 14. Mods:Struct_SC →Catis defined as:

Mods(hStr^Σ,Γ,∪,∅i) ={hΣ, Cn(∆)i |e (∃α:∆→ ∅ ∈ ||Str^Σ,Γ||)

(∆e→ ∅ ∈α∧(∀α⁰ :∆⁰ →∆∈ ||Str^Σ,Γ||)(∆⁰=∆))}

and for all σ : Σ → Σ⁰ ∈ |Sign| (and bσ : hStr^Σ,Γ,∪,∅i → hStr^Σ0,Γ0,∪,∅i ∈

||StructSC||), the following holds:

Mods(σ)(hΣ, Cn(b ∆)i) =e hΣ⁰, Cn(Sen(σ)(Cn(∆)))i.e

Lemma 4. Mods is a functor.

Finally, the natural transformation µ relates the structures representing satu- rated tableaux with the model satisfying the set of formulae denoted by the source of the morphism.

Definition 15. Let hΣ, Γi ∈ |Th0|, then we define µΣ : models^op(hΣ, Γi) → ModF OL(hΣ, Γi) asµΣ(hΣ, ∆i) =Mod(hΣ, ∆i).

Fact 1 Let Σ∈ |Sign_{F OL}| andΓ ⊆Sen_{F OL}(Σ). Thenµ_hΣ,Γi is a functor.

Lemma 5. µis a natural transformation.

Now, from Lemmas 3, 4, and 5, and considering the hypothesis thatIF OLis an institution, the following corollary follows.

Corollary 1. hSign_{F OL},SenF OL,ModF OL,{|=^Σ_{F OL}}_Σ∈|Sign

F OL|,M,Mods, µiis a satisfiability calculus.

Another important kind of system used by automatic theorem provers are the so-called resolution methods. Below, we show how any resolution system conforms to the definition of satisfiability calculus.

Example 2. [Resolution Method for First-Order Predicate Logic] Let us describe resolution for first-order logic as introduced in [25]. We use the following notation: [] denotes the empty list; [A] denotes the unitary list containing the formula A; `0, `1, . . . are variables ranging over lists; and `i+`j denotes the concatenation of lists `i and `j. Resolution builds a list of lists representing a disjunction of conjunctions. The rules for resolution are the following:

`0+ [¬¬A] +`1

`0+ [A] +`1 [¬¬]

`0+ [¬A] +`1

`<sup>0</sup><sub>0</sub>+ [A] +`⁰₁

`0+`1+`<sup>0</sup><sub>0</sub>+`⁰₁ [¬]

`0+ [A∧A<sup>0</sup>] +`1

`0+ [A, A<sup>0</sup>] +`1 [∧]

`0+ [¬(A∨A<sup>0</sup>)] +`1

`0+ [¬A,¬A<sup>0</sup>] +`1 [¬∧]

`0+ [A∨A<sup>0</sup>] +`1

`0+ [A] +`1 [∨]

`0+ [A<sup>0</sup>] +`1

`0+ [¬(A∧A<sup>0</sup>)] +`1

`0+ [¬A] +`1 [¬∧]

`0+ [¬A<sup>0</sup>] +`1

`0+ [∀x:A(x)] +`1

for any closed termt [∀]

`0+ [A[x/t]] +`1

`0+ [∃x:A(x)] +`1

for a new constantc [∃]

`0+ [A[x/c]] +`1

where A(x) denotes a formula with free variablex, andA[x/t] denotes the for- mula resulting from replacing variable x by term t everywhere in A. For the sake of simplicity, we assume that lists of formulae do not have repeated ele- ments. A resolution is a sequence of lists of formulae. If a resolution contains an empty list (i.e., []), we say that the resolution is closed; otherwise it is anopen resolution. For every signature Σ ∈ |Sign| and each Γ ⊂ Sen(Σ), we denote by Str^Σ,Γ the category whose objects are lists of formulae, and where every morphismσ: [A0, . . . , An]→[A⁰₀, . . . , A⁰_m] represents a sequence of application of resolution rules for [A⁰₀, . . . , A⁰_m]. Then,StructSC is a category whose objects areStr^Σ,Γ, for each signatureΣ∈ |Sign|and set of formulae Γ ∈Sen(Σ), and whose morphisms are of the formbσ:Str^Σ,Γ →Str^Σ0,Γ0, obtained by homomor- phically extendingσ:hΣ, Γi → hΣ⁰, Γ⁰iin||Th0||.

As for the case of Example 1, the functorM : Th0 → StructSC is defined as M(hΣ, Γi) =hStr^Σ,Γ,∪,∅i, andMods:StructSC →Setis defined as in the previous example.

A typical use for the methods involved in the above described examples is the search for counterexamples of a given logical property. For instance, to search for counterexamples of an intended property in the context of the tableaux method, one starts by applying rules to the negation of the property, and once a saturated tableau is obtained, if all the branches are closed, then there is no model of the axioms and the negation of the property, indicating that the latter is a theorem.

On the other hand, if there exists an open branch, the limit set of that branch characterizes a class of counterexamples for the formula. Notice the contrast with Hilbert systems, where one starts from the axioms, and then applies deduction rules until the desired formula is obtained.

3.1 Mapping Satisfiability Calculi

In [4] the original notion of morphism between Institutions was introduced.

Meseguer defines the notion of plain map in [2], and in [5] Tarlecki extensively discussed the ways in which different institutions can be related, and how they should be interpreted. More recently, in [26] all these notions of morphism were

investigated in detail. In this work we will concentrate only on institution repre- sentations (or comorphisms in the terminology introduced by Goguen and Rosu), since this is the notion that we have employed to formalize several concepts aris- ing from software engineering, such asdata refinement anddynamic reconfigura- tion [27, 28]. The study of other important kinds of functorial relations between satisfiability calculi are left as future work. The following definition is taken from [5], and formalizes the notion of institution representation.

Definition 16. ([5]) Let I = hSign,Sen,Mod,{|=_Σ}_Σ∈|Sign|i and I⁰ = hSign⁰, Sen⁰,Mod⁰,{|=⁰_Σ}_Σ∈|Sign⁰_|i be institutions. Then,hγ^Sign, γ^Sen, γ^{M od}i : I → I⁰ is an institution representationif and only if:

– γ^Sign:Sign→Sign⁰ is a functor,

– γ^Sen:Sen→ γ^Sign◦Sen⁰, is a natural transformation, – γ^{M od}: (γ^Sign)^op◦Mod⁰→ Mod, is a natural transformation,

such that for any Σ ∈ |Sign|, the function γ_Σ^Sen : Sen(Σ) → Sen⁰(γ^Sign(Σ)) and the functor γ_Σ^{M od} : Mod⁰(γ^Sign(Σ)) → Mod(Σ) preserve the following satisfaction condition: for any α∈Sen(Σ)andM⁰ ∈ |Mod(γ^Sign(Σ))|,

M⁰|=^γSign(Σ)γ^Sen_Σ (α) iff γ_Σ^{M od}(M⁰)|=^Σα .

An institution representation γ : I → I⁰ expresses how the “poorer” set of sentences (respectively, category of models) associated withI is encoded in the

“richer” one associated withI⁰. This is done by:

– constructing, for a givenI-signatureΣ, anI⁰-signature into whichΣcan be interpreted,

– translating, for a givenI-signatureΣ, the set ofΣ-sentences into the corre- spondingI⁰-sentences,

– obtaining, for a given I-signature Σ, the category of Σ-models from the corresponding category ofΣ⁰-models.

The direction of the arrows shows how the whole of I is represented by some parts of I⁰. Institution representations enjoy some interesting properties. For instance, logical consequence is preserved, and, under some conditions, logical consequence is preserved in a conservative way. The interested reader is referred to [5] for further details.

In many cases, in particular those in which the class of models of a signature in the source institution is completely axiomatizable in the language of the target one, Definition 16 can easily be extended to map signatures of one institution to theories of another. This is done so that the class of models of the richer one can be restricted, by means of the addition of axioms (thus the need for theories in the image of the functor γ^Sign), in order to be exactly the class of models obtained by translating to it the class of models of the corresponding signature of the poorer one. In the same way, when the previously described extension is possible, we can obtain what Meseguer calls a map of institutions [2, definition 27] by reformulating the definition so that the functor between

signatures of one institution and theories of the other is γ^{T h} : Th₀ → Th⁰₀. This has to be γ^Sen-sensible (see definition 5) with respect to the entailment systems induced by the institutionsI andI⁰. Now, ifhΣ, Γi ∈ |Th₀|, thenγ^{T h0} can be defined as follows:γ^{T h0}(hΣ, Γi) =hγ^Sign(Σ), ∆∪γ_Σ^Sen(Γ)i, where∆⊆ Sen(ρ^Sign(Σ)). Then, it is easy to prove that γ^{T h0} isγ^Sen-simple because it is theγ^Sen-extension ofγ^{T h0} to theories, thus beingγ^Sen-sensible.

The notion of a map of satisfiability calculi is the natural extension of a map of institutions in order to consider the more material version of the satis- fiability relation. In some sense, if a map of institutions provides a means for representing one satisfiability relation in terms of another in a semantics pre- serving way, the map of satisfiability calculi provides a means for representing a model construction technique in terms of another. This is done by showing how model construction techniques for richer logics express techniques associated with poorer ones.

Definition 17. Let S=hSign,Sen,Mod,{|=^Σ}_Σ∈|Sign|,M,Mods, µi andS⁰= hSign⁰,Sen⁰,Mod⁰,{|=^0Σ}_Σ∈|Sign⁰_|,M⁰,Mods⁰, µ⁰ibe satisfiability calculi. Then, hρ^Sign, ρ^Sen, ρ^{M od}, γi:S→S⁰ is a map of satisfiability calculiif and only if:

1. hρ^Sign, ρ^Sen, ρ^{M od}i:I→I⁰ is a map of institutions, and

2. γ:models^0op◦ρ^{T h0} → models^op is a natural transformation such that the following equality holds:

Th0

Mod

modelsop

AA

ρT h0

$$ =⇒µ Cat = Th0

Mod

!!

ρT h0

&&=⇒ρ^{M od} Cat

=⇒γ =⇒ µ⁰

Th⁰₀

models0op

MM

Th⁰₀ ^models0op

NN

Mod0 ..

Roughly speaking, the 2-cell equality in the definition says that the translation of saturated tableaux is coherent with respect to the mapping of institutions.

Example 3. [Mapping Modal Logic to First-Order Logic] A simple ex- ample of a mapping between satisfiability calculi is the mapping between the tableau method for propositional logic, and the one for first-order logic. It is straightforward since the tableau method for first-order logic is an extension of that of propositional logic.

Let us introduce a more interesting example. We will map the tableau method for modal logic (as presented by Fitting [25]) to the first-order predicate logic tableau method. The mapping between the institutions is given by the standard translation from modal logic to first-order logic. Let us recast here the tableau method for the system K of modal logic. Recall that formulae of standard modal logic are built from boolean operators and the “diamond operator”♦. Intuitively, formula♦ϕsays thatϕis possibly true in some alternative state of affairs. The

semantics for modal logic is given by means of Kripke structures. A Kripke structure is a tuple hW, R, Li, where W is a set of states, R ⊆ W ×W is a relation between states, andL:W →2^AP is a labeling function (AP is a set of atomic propositions). Note that a signature in modal logic is given by a set of propositional letters:h{pi}_i∈Ii. The interested reader can consult [29].

In [25] modal formulae are prefixed by labels denoting semantic states. La- beled formulae are then terms of the form ` : ϕ, where ϕ is a modal formula and`is a sequence of natural numbersn₀, . . . , n_k. The relationRbetween these labels is then defined in the following way:`R`⁰ ≡ ∃n:`, n=`⁰. The new rules are the following:

X∪ {`:ϕ}

For all`<sup>0</sup>such that`R`<sup>0</sup>and such that`⁰appears inX [] X∪ {`:ϕ, `⁰:ϕ}

X∪ {`:♦ϕ}

For`<sup>0</sup>such that`R`⁰ [♦]

X∪ {`:♦ϕ, `⁰:ϕ}

The rules for the propositional connectives are the usual ones, obtained by labeling the formulae with a given label. Notice that labels denote states of a Kripke structure. This is related in some way to the tableau method used for first-order predicate logic. Branches, saturated branches and closed branches are defined in the same way as in Example 1, but considering the relations between sets to be also indexed by the relation used at that point. Thus, s_i −−→^ταi

Ri

s_i+1 must be understood as follows: the setsi+1 is obtained fromsi by applying rule τi to formulaαi∈siunder the accessibility relation Ri.

AssumehSign_{F OL},SenF OL,MF OL,ModsF OL,{|=^Σ_{F OL}}_{Σ∈|SignF OL|}, µF OLiis the satisfiability calculus for first-order predicate logic, denoted bySCF OL, and hSign_K,Sen_K,M_K,Mods_K,{|=^Σ_K}_{Σ∈|SignK|,µK}iis the satisfiability calculus for modal logic, denoted bySCK. Consider now the standard translation from modal logic to first-order logic. Therefore, the tuple hρ^Sign, ρ^Sen, ρ^{M od}i is defined as follows [29]:

Definition 18. ρ^Sign : Sign_K → Sign_{F OL} is defined as ρ^Sign(h{pi}_i∈Ii) = hR,{pi}_i∈Iiby mapping each propositional variable pi, for alli∈ I, to a first- order unary logic predicate pi, and adding a binary predicate R, and ρ^Sign(σ : h{pi}i∈Ii → h{p⁰_i0}i⁰∈I⁰i) =σ⁰ :hR,{pi}i∈Ii → hR⁰,{p⁰_i0}i⁰∈I⁰imappingRtoR⁰, andpi top⁰_i for alli∈ I.

Lemma 6. ρ^Signis a functor.

Definition 19. Let h{pi}i∈Ii ∈ |Sign_K|. Then ρ^Sen_h{p

i}i∈Ii : SenK(h{pi}i∈Ii)→ ρ^Sign◦SenF OL(h{pi}_i∈Ii)is defined recursively asρ^Sen_h{p

i}i∈Ii(α) =T_{h{pi}i∈Ii,x}(α) where:

T_{h{pi}i∈Ii,x}(p_i) =p⁰_i(x), for alli∈ I. T_{h{pi}i∈Ii,x}(¬α) =¬T_{h{pi}i∈Ii,x}(α)

T_{h{pi}i∈Ii,x}(α∨β) =T_{h{pi}i∈Ii,x}(α)∨T_{h{pi}i∈Ii,x}(β) T_{h{pi}i∈Ii,x}(♦α) = (∃y)(R(x, y)∧T_{h{pi}i∈Ii,y}(α))

Lemma 7. ρ^Sen is a natural transformation.

Definition 20. Let h{pi}i∈Ii ∈ |Sign_K|. Then we define ρ^{M od}_h{p

i}i∈Ii : ρ^Sign◦ ModF OL(h{pi}_i∈Ii)→ModK(h{pi}_i∈Ii)as follows:

– for all M = hS, R,{pi}i∈Ii ∈ |ModF OL(hR,{pi}i∈Ii)|, ρ^{M od}_h{p

i}i∈Ii(M) = hS, R, Li, with L(pi) ={s∈S|pi(s)}.⁸

– leth{pi}i∈Ii ∈ |Sign_K|; then for all homomorphism h:hS1, R₁,{p1i}i∈Ii → hS2, R₂,{p2i}i∈Ii ∈ ||ModF OL(hR,{pi}i∈Ii)||, we defineρ^{M od}_h{p

i}i∈Ii(h) to be bh, wherebh(s1) =s2 if and only if h(s1) =s2 for alls1∈S1.

Lemma 8. Let h{pi}i∈Ii ∈ |Sign_K|. Thenρ^{M od}_h{p

i}i∈Ii is a functor.

The proof that this is a mapping between institutions relies on the correctness of the translation presented in [29]. Using this map we can define a mapping between the corresponding satisfiability calculi. The natural transformation:γ: ρ^{T h0}◦models^0op→ models^op is defined as follows.

Definition 21. Let hh{p_i}_i∈Ii, Γi ∈ |Th^K₀ |; then

γ_h{pi}i∈Ii:ρ^{T h0}◦models^op_{F OL}(hh{pi}i∈Ii, Γi)→models^op_K(hh{pi}i∈Ii, Γi)

is defined as:

γh{p_i}_i∈Ii(hhR,{pi}i∈Ii, ∆i) =hh{pi}i∈Ii,{ϕ∈ |SenK(h{pi}i∈Ii)| |ρ^Senh{p_i}_i∈Ii(ϕ)∈∆}i

Lemma 9. Let h{pi}_i∈Ii ∈ |Sign_K|; then γ_h{pi}i∈Ii is a functor.

Lemma 10. γ:ρ^{T h0}◦models^op_{F OL}→models^op_K is a natural transformation.

Finally, the following lemma prove the equivalence of the two cells shown in Definition 17.

Lemma 11. Leth{pi}i∈Ii ∈ |Sign_K|, then

µKh{pi}i∈Ii◦γ_h{pi}i∈Ii=ρ_ρ^{M od}Sign(h{pi}i∈Ii)◦µ_{F OLρ}Sign(h{pi}i∈Ii).

This means that building a tableau using the first-order rules for the translation of a modal theory, then obtaining the corresponding canonical model in modal logic usingγ, and therefore obtaining the class of models by usingµ, is exactly the same as obtaining the first-order models by µ⁰ and then the corresponding modal models by using ρ^{M od}.

8 Notice thatρ^Sign(h{pi}i∈Ii) =hR,{pi}i∈Ii, whereh{pi}i∈Ii ∈ |Sign_K|.

4 Conclusions and Further work

Methods like resolution and tableaux are strongly related to the semantics of a logic. They are often employed to construct models, a characteristic that is miss- ing in purely deductive methods, such as natural deduction or Hilbert systems, as formalized by Meseguer. In this paper, we provided an abstract characterization of this class of semantics-based tecniques for logical systems. This was accom- plished by introducing a categorical characterization of the notion of satisfiability calculus, which covers logical tools such as tableaux, resolution, Gentzen style sequents, etc. Our new characterization of a logical system, that includes the no- tion of satisfiability calculus, provides both a proof calculus and a satisfiability calculus, which essentially implement the entailment and satisfaction relations, respectively. There clearly exist connections between these calculi that are worth exploring, especially when the underlying structure used in both definitions is the same (see Example 1).

A close analysis of the definitions of proof calculus and satisfiability cal- culus takes us to observe that the constraints imposed over some elements (e.g., the natural family of functors π_hΣ,Γi : proofs(hΣ, Γi) → Sen(hΣ, Γi) and µ_hΣ,Γi : models^op(hΣ, Γi) → Mod(hΣ, Γi)) may be too restrictive, and working on generalizations of these concepts is part of our further work. In par- ticular, it is worth noticing that partial implementations of both the entailment relation and the satisfiability relation are gaining visibility in the software engi- neering community. Examples on the syntactic side are the implementation of less expressive calculi with respect to an entailment, as in the case of the finitary definition of the reflexive and transitive closure in the Kleene algebras with tests [30], the case of the implementation of rewriting tools like Maude [31] as a par- tial implementation of equational logic, etc. Examples on the semantic side are the bounded model checkers and model finders for undecidable languages, such as Alloy [32] for relational logic, the growing family of SMT-solvers [33] for lan- guages including arithmetic, etc. Clearly, allowing for partial implementations of entailment/satisfiability relations would enable us to capture the behaviors of some of the above mentioned logical tools. In addition, functorial relations between partial proof calculi (resp., satisfiability calculi) may provide a measure for how good the method is as an approximation of the ideal entailment relation (resp., satisfaction relation). We plan to explore this possibility, as future work.

Acknowledgements

The authors would like to thank the anonymous referees for their helpful comments. This work was partially supported by the Argentinian Agency for Scientific and Technological Promotion (ANPCyT), through grants PICT PAE 2007 No. 2772, PICT 2010 No. 1690, PICT 2010 No. 2611 and PICT 2010 No.

1745, and by the MEALS project (EU FP7 programme, grant agreement No.

295261). The fourth author gratefully acknowledges the support of the National Science and Engineering Research Council of Canada and McMaster University.

References

1. Goguen, J.A., Burstall, R.M.: Introducing institutions. In Clarke, E.M., Kozen, D., eds.: Proceedings of the Carnegie Mellon Workshop on Logic of Programs. Volume 184 of LNCS., Springer-Verlag (1984) 221–256

2. Meseguer, J.: General logics. In Ebbinghaus, H.D., Fernandez-Prida, J., Garrido, M., Lascar, D., Artalejo, M.R., eds.: Proceedings of the Logic Colloquium ’87.

Volume 129., Granada, Spain, North Holland (1989) 275–329

3. Fiadeiro, J.L., Maibaum, T.S.E.: Generalising interpretations between theories in the context ofπ-institutions. In Burn, G., Gay, D., Ryan, M., eds.: Proceedings of the First Imperial College Department of Computing Workshop on Theory and Formal Methods, London, UK, Springer-Verlag (1993) 126–147

4. Goguen, J.A., Burstall, R.M.: Institutions: abstract model theory for specification and programming. Journal of the ACM39(1) (1992) 95–146

5. Tarlecki, A.: Moving between logical systems. In Haveraaen, M., Owe, O., Dahl, O.J., eds.: Selected papers from the 11th Workshop on Specification of Abstract Data Types Joint with the 8th COMPASS Workshop on Recent Trends in Data Type Specification. Volume 1130 of LNCS., Springer-Verlag (1996) 478–502 6. Sannella, D., Tarlecki, A.: Specifications in an arbitrary institution. Information

and computation76(2–3) (1988) 165–210

7. Tarlecki, A.: Abstract specification theory: an overview. In Broy, M., Pizka, M., eds.: Proceedings of the NATO Advanced Study Institute on Models, Algebras and Logic of Engineering Software. NATO Science Series, Marktoberdorf, Germany, IOS Press (2003) 43–79

8. Mossakowski, T.: Comorphism-based Grothendieck logics. In Diks, K., Rytter, W., eds.: MFCS. Volume 2420 of Lecture Notes in Computer Science., Springer (2002) 593–604

9. Mossakowski, T., Tarlecki, A.: Heterogeneous logical environments for distributed specifications. Volume 5486 of LNCS., Pisa, Italy, Springer-Verlag (2009) 266–289 10. Diaconescu, R., Futatsugi, K.: Logical foundations of CafeOBJ. Theoretical Com-

puter Science285(2) (2002) 289–318

11. Diaconescu, R.: Grothendieck institutions. Applied Categorical Structures10(4) (2002) 383–402

12. Diaconescu, R., ed.: Institution-independent Model Theory. Volume 2 of Studies in Universal Logic. Birkh¨auser (2008)

13. Mossakowski, T., Maeder, C., Luttich, K.: The heterogeneous tool set, Hets. In Grumberg, O., Huth, M., eds.: Proceedings of the 13th. International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2007). Volume 4424 of LNCS., Braga, Portugal, Springer-Verlag (2007) 519–522 14. Tarlecki, A.: Towards heterogeneous specifications. In Gabbay, D., de Rijke, M.,

eds.: Frontiers of Combining Systems. Volume 2 of Studies in Logic and Compu- tation. Research Studies Press (2000) 337–360

15. Cengarle, M.V., Knapp, A., Tarlecki, A., Wirsing, M.: A heterogeneous approach to UML semantics. In Degano, P., DeNicola, R., Meseguer, J., eds.: Proceed- ings of Concurrency, graphs and models (Essays dedicated to Ugo Montanari on the occasion of his 65th. birthday). Number 5065 in LNCS, Edinburgh, Scotland, Springer-Verlag (2008) 383–402

16. Beth, E.W.: The Foundations of Mathematics. North Holland (1959)

17. Beth, E.W.: Semantic entailment and formal derivability. In Hintikka, J., ed.: The Philosophy of Mathematics. Oxford University Press (1969) 9–41 Reprinted from [34].

18. Herbrand, J.: Investigation in proof theory. In Goldfarb, W.D., ed.: Logical Writ- ings. Harvard University Press (1969) 44–202 Translated to English from [35].

19. Gentzen, G.: Investigation into logical deduction. In Szabo, M.E., ed.: The Col- lected Papers of Gerhard Gentzen. North Holland (1969) 68–131 Translated to english from [36].

20. Smullyan, R.M.: First-order Logic. Dover Publishing (1995)

21. Robinson, J.A.: A machine-oriented logic based on the resolution principle. Journal of the ACM12(1) (1965) 23–41

22. McLane, S.: Categories for working mathematician. Graduate Texts in Mathemat- ics. Springer-Verlag, Berlin, Germany (1971)

23. Fiadeiro, J.L.: Categories for software engineering. Springer-Verlag (2005) 24. Lopez Pombo, C.G., Castro, P., Aguirre, N.M., Maibaum, T.S.E.: Satisfiability

calculus: the semantic counterpart of a proof calculus in general logics. Technical report, McMaster University, Centre for Software Certification (2011)

25. Fitting, M.: Tableau methods of proof for modal logics. Notre Dame Journal of Formal Logic13(2) (1972) 237–247 Lehman College.

26. Goguen, J.A., Rosu, G.: Institution morphisms. Formal Asp. Comput. 13(3-5) (2002) 274–307

27. Castro, P., Aguirre, N.M., Lopez Pombo, C.G., Maibaum, T.S.E.: Towards man- aging dynamic reconfiguration of software systems in a categorical setting. In Cavalcanti, A., D’eharbe, D., Gaudel, M.C., Woodcock, J., eds.: Proceedings of Theoretical Aspects of Computing - ICTAC 2010, 7th International Colloquium.

Volume 6255 of LNCS., Natal, Rio Grande do Norte, Brazil, Springer-Verlag (2010) 306–321

28. Castro, P., Aguirre, N.M., Lopez Pombo, C.G., Maibaum, T.S.E.: A categorical approach to structuring and promoting Z specifications. In Pasareanu, C., Sala¨un, G., eds.: Proceedings of FACS 2012, 9th International Symposium. Volume 7684 of LNCS., Moutain View, California, USA, Springer-Verlag (2012) 73–88

29. Blackburn, P., de Rijke, M., Venema, Y.: Modal logic. Number 53 in Cambridge Tracts in Theoretical Computer Science. Cambridge University Press (2001) 30. Kozen, D.: Kleene algebra with tests. ACM Transactions on Programming Lan-

guages and Systems19(3) (1997) 427–443

31. Clavel, M., Dur´an, F., Eker, S., Lincoln, P., Mart´ı-Oliet, N., Meseguer, J., Talcott, C.L., eds.: All About Maude - A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic. In Clavel, M., Dur´an, F., Eker, S., Lincoln, P., Mart´ı-Oliet, N., Meseguer, J., Talcott, C.L., eds.: All About Maude. Volume 4350 of Lecture Notes in Computer Science., Springer (2007) 32. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Transactions

on Software Engineering and Methodology11(2) (2002) 256–290

33. Moura, L.D., Bjørner, N.: Satisfiability modulo theories: introduction and appli- cations. Communications of the ACM54(9) (2011) 69–77

34. Beth, E.W.: Semantic entailment and formal derivability. Mededlingen van de Koninklijke Nederlandse Akademie van Wetenschappen, Afdeling Letterkunde 18(13) (1955) 309–342 Reprinted in [17].

35. Herbrand, J.: Recherches sur la theorie de la demonstration. PhD thesis, Universit´e de Paris (1930) English translation in [18].

36. Gentzen, G.: Untersuchungen tiber das logische schliessen. Mathematische Zeitschrijt39(1935) 176–210 and 405–431 English translation in [19].